New Investigation Points to Three New Flame-Related Malicious
Programs: At Least One Still in the Wild

Research conducted by Kaspersky Lab in partnership with ITU’s IMPACT,
CERT-Bund/BSI and Symantec reveals Flame platform dates back to 2006 and
is still being developed

September 17, 2012 09:38 AM Eastern Daylight Time

WOBURN, Mass.--(BUSINESS WIRE)--Kaspersky
Lab announces the results of new research related to the discovery
of the sophisticated nation-state sponsored Flame
cyber-espionage campaign. During the research, conducted by Kaspersky
Lab in partnership with International Telecommunication Union’s
cybersecurity executing arm - IMPACT,
CERT-Bund/BSI
and Symantec, a number of Command and Control (C&C) servers used by
Flame’s creators were analyzed in detail. The analysis revealed new,
groundbreaking facts about Flame. Particularly, traces of three yet
undiscovered malicious programs were found, and it was discovered that
the development of the Flame platform dates back to 2006.

Main findings:

The development of Flame’s Command and Control platform started as
early as December 2006.

The C&C servers were disguised to look like a common Content
Management System, to hide the true nature of the project from hosting
providers or random investigations.

The servers were able to receive data from infected machines using
four different protocols; only one of them servicing computers
attacked with Flame.

The existence of three additional protocols not used by Flame provides
proof that at least three other Flame-related malicious programs were
created; their nature is currently unknown.

One of these Flame-related unknown malicious objects is currently
operating in the wild.

There were signs that the C&C platform was still under development;
one communication scheme named “Red Protocol” is mentioned but not yet
implemented.

There is no sign that the Flame C&Cs were used to control other known
malware such as Stuxnet or Gauss.

The Flame cyber-espionage campaign was originally
discovered in May 2012 by Kaspersky Lab during an investigation
initiated by the International
Communication Union. Following this discovery, ITU-IMPACT acted
swiftly to issue an alert to its 144 member nations accompanied with the
appropriate remediation and cleaning procedures. The complexity of the
code and confirmed
links to developers of Stuxnet all point to the fact that Flame is
yet another example of a sophisticated nation-state sponsored cyber
operation. Originally it was estimated that Flame started operations in
2010, but the first analysis
of its Command and Control infrastructure (covered by at least 80 known
domains names) shifted this date two years earlier.

The findings in this particular investigation are based on the analysis
of the content retrieved from several C&C servers used by Flame. This
information was recovered despite the fact that Flame’s control
infrastructure went offline immediately after Kaspersky Lab disclosed
the existence of malware. All servers were running the 64-bit version of
the Debian
operating system, virtualized using OpenVZ
containers. Most of the servers’ code was written in the PHP programming
language. Flame’s creators used certain measures to make the C&C server
look like an ordinary Content Management System, in order to avoid
attention from the hosting provider.

Sophisticated encryption methods were utilized so that no one, but the
attackers, could obtain the data uploaded from infected machines. The
analysis of the scripts used to handle data transmissions to the victims
revealed four communication protocols, and only one of them was
compatible with Flame. It means that at least three other types of
malware used these Command and Control servers. There is enough evidence
to prove that at least one Flame-related malware is operating in the
wild. These unknown malicious programs are yet to be discovered.

Another important result of the analysis is that the development of the
Flame C&C platform started as early as December 2006. There are signs
that the platform is still in the process of development, since a new,
yet not implemented protocol called the “Red Protocol” was found on the
servers. The latest modification of the servers’ code was made on May
18, 2012 by one of the programmers.

“It was problematic for us to estimate the amount of data stolen by
Flame, even after the analysis of its Command and Control servers.
Flame’s creators are good at covering their tracks. But one mistake of
the attackers helped us to discover more data that one server was
intended to keep. Based on this we can see that more than five gigabytes
of data was uploaded to this particular server a week, from more than
5,000 infected machines. This is certainly an example of cyber espionage
conducted on a massive scale,” commented Alexander Gostev, Chief
Security Expert, Kaspersky Lab.

Detailed analysis of the contents of Flame’s command and control servers
is published at Securelist.com.

Kaspersky Lab is the world’s largest privately held vendor of endpoint
protection solutions. The company is ranked among the world’s top four
vendors of security solutions for endpoint users*. Throughout its
15-year history Kaspersky Lab has remained an innovator in IT security
and provides effective digital security solutions for consumers, SMBs
and Enterprises. The company currently operates in almost 200 countries
and territories across the globe, providing protection for over 300
million users worldwide. Learn more at www.kaspersky.com.

*The company was rated fourth in the IDC rating Worldwide Endpoint
Security Revenue by Vendor, 2010. The rating was published in the IDC
report Worldwide IT Security Products 2011-2015 Forecast and 2010 Vendor
Shares – December 2011. The report ranked software vendors according to
earnings from sales of endpoint security solutions in 2010.